VoIP NAT Traversal - Session Border Controller

VoIP-NAT Problem

Most residential and SOHO users have NAT based routers/firewalls that make the roll-out of an IP based network of IP phones or residential phone adapters a challenge. The fact that VoIP protocols encapsulate original device’s IP address in the session layer packet and that firewalls won’t allow any session originated from the public Internet to traverse to internal-protected network bring all sort of problems like no audio or one way audio to VoIP implementations. Some attempts to resolve this issue such asSTUN or reconfiguring end-users routers or firewalls not always work and become a support nightmare when facing different types of NAT.

ITSPs or VoIP service providers need to add a VoIP Session Border Controller and RTP bridge server to their networks in order tosupport IP devices behind NAT but most of the cases it relays media stream adding unnecessary latency and delays affecting end-users audio quality perception. Having to relay media stream for hundreds or thousands of connections certainly compromises the ITSPs own bandwidth and requires much more processing power from the servers.

NATPass™

NATPass™ is a VoIP NAT Traversal solution - Session Border Controller that allows voip sessions succeed when one or both voip endpoint devices connecting such as phone adapters, gateways or IP phones, are in a Natted network. NATPass™ will perform media path optimization (MPO) and will make media stream flow directly between endpoints.

NATPass™ Firewall Controller is designed to be a cost effective and simple solution for ITSP and VOIP service providers to deploy their network with a minimum of support and intervention on the customer premises side and totally automates the NAT traversal process. NATPass™ is compatible with any SIP compliant endpoint and server and can traverse Full cone NAT, restricted cone NAT, port restricted cone NAT and symmetric NAT.

In addition to nat traversal, security is another important issue addressed by NATPass™. DOS, DDOS, fast and slow attacks can be controlled. NATPass™ protect the Proxy and Registrar server from malformed SIP packets and Avalanche Restart effect as described in RFC5390.

By design, NATPass™ is not a multi-protocol solution but is built and optimized for SIP to increase its overall performance, reliability and ease of maintenance. NATPass™ is designed to work as an intermediary between endpoint devices such as SIP devices (Hard, Softphones, ATAs) and SIP Proxies also known as Registrars. NATPass™ provides great scalability at the lowest cost.

VoIP DOS attack problem

The rapid adoption of Voip and SIP by enterprises and SOHOs has made SIP a target for hackers. SIP trunk and hosted PBX providers have to have a public IP to offer service to their customers and are exposed to Denial of Service attacks.

The most common thread is a brute force attack against SIP passwords in which the Voip servers are inundated with registration requests to well known ports. The main purpose is to guess a subscriber's SIP password and gain access to the account to use it to make long distance or automated phishing calls to random people. The side effect of this is that the brute force attack creates huge load on the SIP servers that tries to validate authentication of each single request. Most of the time the SIP server becomes unresponsive or crashes affecting legitimate users.

Denial of Service attacks is, nowadays, a main concern to most of ITSPs. Distributed Denial of Service attack ( DDOS ) is even more difficult to fight against and only few expensive commercial solutions are available to coupe with this thread.

Operating Modes

NATPass™ was designed thinking in that different customers or ITSPs have different needs. When combining the different modes offered you have a matrix of options. The operating modes are based on how you want to handle connections to SIP proxy/registrars in NATPass™.

Most of ITSPs or enterprises might want to take advantage of maximum scalability and bandwidth savings and have NATPass™ performing Voip Media Path Optimization (MPO). However, there might be some cases in which NATPass™ is configured in Full mode when you want to bridge the media to have tight control or for call interception requirements.

In some cases you might want NATPass™ work with your only one FQDN or IP address where your voip server resides, in that case you’ll restrict packets going to only one server or ITSP. In some other scenarios in which there are multiple Proxy/Registrars or multiple ITSPs that need to share the same Session Border Controller, NATPass™ can be configured as a Multi-homed NAT traversal or Session Border Controller and work with several SIP servers. Of course, real time reports on active accounts or calls going to each ITSP or server can be obtained thru NATPass™ monitoring tool. Multi-homed mode or not, you can always choose MPO or Full mode for each of the SIP servers NATPass™ is working with.

Performance & High Availability

NATPass™ performance depends on processing power of hardware utilized and number of call setups per second. NATPass™ is an extremely optimized and fast SBC. It can run ~150 call setups per second on a dual CPU server. High end quad with dual core should be able to run in range of 100,000 or more sporadic users like soft phone accounts to about 30,000 static fixed phone users. Capacity will depend on server architecture as well as type of usage of network (residential vs. call center). The use of a dual Pentium server at 3 GHZ with a fast FSB and 2 GB of RAM is recommended for large deployments.

DNS SRV records are supported by NATPass™ allowing redundant or active-standby type of proxy servers. When configuring high availability NATPass™ application can run on an active server and automatically switch over to a standby server when the main one fails.